Qualys ya gano wani rauni (CVE-2021-4034) a cikin tsarin tsarin Polkit (tsohon PolicyKit) da aka yi amfani da shi wajen rarrabawa don ƙyale masu amfani marasa gata suyi ayyukan da ke buƙatar haƙƙin samun dama. Rashin lahani yana ba da damar mai amfani na gida mara amfani don haɓaka damar su don tushen da samun cikakken iko da tsarin. An sanya sunan matsalar PwnKit kuma sananne ne don samar da amfani mai aiki wanda ke gudana a cikin tsayayyen tsari akan yawancin rarrabawar Linux.
Matsalar tana nan a cikin PolKit's pkexec utility, wanda ya zo tare da Tushen Tushen SUID kuma an ƙirƙira shi don gudanar da umarni tare da gata na wani mai amfani bisa ga ƙayyadaddun ƙa'idodin PolKit. Saboda rashin sarrafa gardama na layin umarni da aka wuce zuwa pkexec, mai amfani mara gata zai iya ƙetare tantancewa kuma ya sa lambar su ta yi aiki azaman tushen, ba tare da la'akari da ƙa'idodin shiga ba. Don kai hari, ba kome ba abin da aka ƙayyade saituna da hane-hane a cikin PolKit, ya isa cewa an saita sifa ta tushen SUID don fayil ɗin da za a iya aiwatarwa tare da kayan aikin pkexec.
Pkexec baya duba ingancin adadin gardamar layin umarni (argc) da aka wuce lokacin fara tsari. Masu haɓaka pkexec sun ɗauka cewa shigarwar farko a cikin tsararrun argv koyaushe yana ƙunshi sunan tsarin (pkexec), na biyu ko dai ƙimar NULL ko sunan umarnin da aka ƙaddamar ta hanyar pkexec. Tun da ba a bincika ƙididdigar gardamar akan ainihin abubuwan da ke cikin tsararru ba kuma ana ɗauka koyaushe mafi girma fiye da 1, idan an aiwatar da tsari mara komai na argv, kamar yadda aikin aiwatar da Linux ya ba da izini, pkexec zai bi NULL azaman hujja ta farko ( Sunan tsari) da na gaba kamar a waje da ƙwaƙwalwar ajiya, kamar abubuwan da ke gaba na tsararrun. |———+————+——+————|———————+——+—————| | argv[0] | argv[1] | ... | argv[argc] | envp[0] | envp[1] | ... | envp[envc] | |—-|—--+—-|—-+——+——|——|—-|—-+—-|—-+——+——|——| VVVVVV "shirin" "-option" NULL "daraja" "PATH=name" NULL
Matsalar ita ce bayan tsarin argv akwai tsarin envp a cikin ƙwaƙwalwar ajiya mai ɗauke da canjin yanayi. Don haka, idan tsararrun argv ba ta da komai, pkexec yana fitar da bayanai game da umarnin da ke gudana tare da gata masu girma daga kashi na farko na tsararru tare da masu canjin yanayi (argv[1] ya zama kama da envp[0]), abubuwan da ke ciki ana iya sarrafa su. ta maharin.
Bayan karɓar ƙimar argv [1], pkexec yayi ƙoƙari, la'akari da hanyoyin fayil a cikin PATH, don ƙayyade cikakken hanyar zuwa fayil ɗin da za a iya aiwatarwa kuma ya rubuta mai nuni zuwa kirtani tare da cikakken hanyar komawa argv[1], wanda yana haifar da sake rubuta ƙimar mahalli na farko, tunda argv[1] yayi daidai da envp[0]. Ta hanyar sarrafa sunan canjin yanayi na farko, maharin na iya musanya wani canjin yanayi a pkexec, alal misali, musanya canjin yanayin “LD_PRELOAD”, wanda ba a yarda da shi a cikin shirye-shiryen suid ba, kuma ya shirya don loda ɗakin ɗakin karatu da aka raba a cikin tsari.
Yin amfani da aiki ya haɗa da maye gurbin GCONV_PATH m, wanda ake amfani da shi don ƙayyade hanyar zuwa ɗakin karatu mai canzawa ta alama, an ɗora shi da ƙarfi lokacin kiran aikin g_printerr(), lambar wacce ke amfani da iconv_open(). Ta hanyar sake fasalin hanyar a cikin GCONV_PATH, mai hari zai iya tabbatar da cewa ba daidaitaccen ɗakin karatu na iconv aka loda ba, amma ɗakin karatu na kansa, wanda za a aiwatar da masu sarrafa lokacin da aka nuna saƙon kuskure a matakin lokacin da pkexec ke gudana tare da Ana bincika haƙƙin tushen kuma kafin ƙaddamar da izini.
An lura cewa duk da cewa matsalar tana faruwa ne ta hanyar ɓarnawar ƙwaƙwalwar ajiya, ana iya dogara da ita kuma ana iya yin amfani da ita akai-akai ba tare da la’akari da kayan aikin gine-ginen da aka yi amfani da su ba. An yi nasarar gwada amfanin da aka shirya akan Ubuntu, Debian, Fedora da CentOS, amma kuma ana iya amfani da su akan sauran rabawa. Amfanin asali na asali bai riga ya samuwa a bainar jama'a ba, yana nuna cewa ba shi da mahimmanci kuma wasu masu bincike za su iya ƙirƙira su cikin sauƙi, don haka yana da mahimmanci a shigar da sabunta facin da wuri-wuri akan tsarin masu amfani da yawa. Hakanan ana samun Polkit don tsarin BSD da Solaris, amma ba a yi nazarin amfani da su ba. Abin da aka sani shi ne cewa ba za a iya kai harin a kan OpenBSD ba, tun da OpenBSD kernel ba ta ƙyale ƙimar argc mara kyau a wuce lokacin da aka kira execve().
Matsalar tana nan tun watan Mayu 2009, tun da ƙarin umarnin pkexec. Gyara don raunin PolKit a halin yanzu yana samuwa azaman faci (ba a sake sakin facin ba), amma tunda an sanar da masu haɓaka rarraba matsalar a gaba, yawancin rarrabawa sun buga sabuntawa lokaci guda tare da bayyana bayanai game da raunin. An daidaita batun a cikin RHEL 6/7/8, Debian, Ubuntu, openSUSE, SUSE, Fedora, ALT Linux, ROSA, Gentoo, Void Linux, Arch Linux da Manjaro. A matsayin ma'aunin wucin gadi don toshe raunin, zaku iya cire Tushen Tushen SUID daga shirin /usr/bin/pkexec ("chmod 0755 / usr/bin/pkexec").
source: budenet.ru